No more using an easily guessible password on multiple websites, and no more storing your logins and passwords on a simple note or document. It is a HUGE pain in the ass to get an alert that your login information has been compromisedand then have to change your password on dozens of sites.

If you’re in the Apple ecosystem, the passwords app is free and is automatically implemented on your devices. Bitwarden is another solution that is also free, end-to-end encrypted, and has cloud sync so it’ll be available on all of your devices. 1Password is another easy-to-use solution. All of these options will generate unique passwords for each site you visit, and automatically store them so you don’t have to remember or paste them into another document.

Visit Equifax, Experian, and Transunion online and sign up for free accounts on each of their sites. You do not need to upgrade any memberships or pay for this service.

On Equifax, click Freeze from the sidebar. From Experian, look for Security Freeze. From Transunion, log into their Service Center. Enable a credit or security freeze on all three bureaus. This prevents anyone from opening any new accounts with your social security number, while still allowing you to monitor your credit. This can be managed entirely online, and you only need to go to those same links with to unfreeze your credit if you need to open up an account.

Basically, just ignore all unexpected communication because they only want to separate you from your money. This one is so easy because all you have to do is nothing. If a phone call comes from someone not already saved in your contacts, send it to voice mail. If you get a text message or email from an unfamiliar sender, immediately delete it. If it’s reallyimportant, they will leave a message or find you somehow.

And this is something you really need to train your elders and children on. If you get an email that seems like it’s from Apple or Google or Chase Bank asking you to log in, unless you are already in a verification or two-factor authentication flow that you initiated, DO NOT CLICK THE LINKS IN THE EMAIL. Instead, type that shit in your browser manually and log in with your password manager.

Multifactor authentication ensures that even if someone were to guess your password or somehow gain access to your password manager, they would not be able to log in to your accounts without an additional key on your person. The most secure way to do this is with an actual physical device like a Yubikey, but for most people, an authenticator app or a code sent to your mobile device is decent enough protection.

It can be a pain to do this for all of your existing accounts, so I recommend starting with the most important ones, which are typically your email accounts and bank accounts. The next tier you might want to address are your shopping accounts (anything that might have a payment attached to it) and your social media accounts.

And to make this easy for future you, starting today, just turn it on for any new accounts you sign up for going forward.

There are a gajillion adblockers out there, so use whatever works for you and your browsing habits. I’ve personally been using AdGuard for several years now and it’s been great, but I’ve also paid for a lifetime subscription and they don’t pay me to recommend them. The AdGuard desktop app works globally, so I don’t have to install an extension on each browser.

Additionally, tracking blockers help stop trackers from gathering data on you based on your browsing habits. If you’re on the Apple ecosystem, Safari has a built in feature (Settings > Privacy) to prevent cross-site tracking.

If you’re not in the Apple ecosystem, then I recommend installing uBlock Origin as a browser extension, but this comes with caveats. First, don’t use Chrome, full stop. It’s bad, it’s bloated, and it is not privacy-friendly. If you must use a Chrome-adjacent browser, I recommend Brave above anything else, and just disable Brave Rewards and Wallet in the settings. Otherwise, Firefox with uBlock Origin is also a great option.

This browser hardening not a difficult step, but it probably has the biggest impact in making browsing a more pleasant and less annoying experience.

Apple and Google’s solutions for data protection are marketed for people at a high risk of a targeted attack (think journalists or politicians), but I’m seeing more outlets recommend taking these steps. And you should assume surveillance will ramp up and consumer data protections will decrease in the next admin, so it’s worth setting this up. These settings will encrypt your data in the cloud.

Apple calls this Advanced Data Protection and it’s can be found in System Settings > your main profile > iCloud. This requires you to set up a recovery contact or key, but can be done pretty quickly. Google calls it Advanced Protection Program and more details can be found here.

Within the Apple ecosystem, Find My has an option to remotely erase any device tied to your Apple ID. I believe Google Find My Device has a similar feature for Android. The catch with both of these methods is that Find My needs to be turned on and your devices need to be tied to an ID before they get stolen, so you should set these up as soon as you get your device.

Because I also have an Apple Watch, I’ve also set up an automation so that a certain focus profile triggers the screen lock, turns the brightness to zero, and turns off Airplane Mode so my phone can be tracked and not used. I may not be able to recover the phone, but the thief will also never be able to use it.

This is often feels like an impossible task — many of us rely on Google or Microsoft apps for work or school and are not allowed to use any other platform — so why do I recommend it at all?

Google exists to gather data on users and serve ads. Its apps are free because it’s actually selling you as the product. It tracks your searches and browsing habits and scans your email. And Microsoft is spyware, full stop. It has been known to rat on you to your employers regarding your own activity on its apps. If you must use them in your professional life, then I recommend not giving them any additional data on your personal life as well.

But this is its own project with its own levels, and not all levels need to be accomplished to make a difference.

Easy: Change your default search engine to something other than Google or Bing. DuckDuckGo is an alternative built into most modern browsers.

Easy: Switch from Chrome or Edge to another browser, like Brave or Firefox (which you should’ve already done).

Medium: Set up a new email address outside of Gmail or Outlook (proton.me or tuta.com are commonly recommended in privacy circles) and start changing your email address on your most important accounts, like banks and government stuff. Then gradually change your email address as you log into shopping and social media accounts. Let the junk go to Google or Outlook.

Medium: Find alternative apps for your photos and cloud drive. Dropbox, Ente, and iCloud are decent alternatives to just get out of the Google or Microsoft ecosystems, but you can also research more privacy- and security-centered alternatives.

Hard: Find alternatives for all other apps, including Workspace, Office, Maps, and Youtube. This is a level I personally do not bother with — I still use Youtube — but there are alternatives to all of these things. The user experience is usually just not very polished.

Hard: This one is not necessarily difficult, but it will mess with the convenience of all of your browsing. Go to Google Takeout to export and download all of the data they keep on you. Then go to Manage My Account > Data & Privacy, and pause all history and turn off all personalized options. If you still want the convenience of suggestions on Youtube, then at least turn off Personalized Ads. This is also a good page to just review all the data Google is keeping on you.

The best recommendation here is to just not be on social media, but that’s not really a reasonable expectation in 2025. At the very least, be intentional about the social media platforms you engage with, and DEFINITELY delete your profile on the bird app, as that is now inarguably a data harvesting operation.

If you must give into the FOMO, and you have to keep a job outside of social media or entertainment, then don’t make your full government name visible on your profiles (with the exception of LinkedIn), and don’t post anything public, especially not anything stupid. IT WILL ONLY HURT YOU. Make your personal profiles private and be mindful of who you allow in.

This is generally good advice to keep yourself employable at the very least. There’s a larger philosophical discussion to be had about how to exist in the world without having an audience, and how social media has rotted our society, but that’s beyond the scope of this post.

Do not ever allow your employer to install a managed profile on your personal devices. If they require a managed profile to be installed, they need to provide you with a separate device (laptop and phone) that they own.

Once they provide you with a work device, the best practice is to not access any of your personal life on it. Assume at all times that your employer is watching what you do on their devices, and also assume they will take ownership of any data on your device at the time of your termination.

I’d tell you to never take a job that requires you to give them access to your social media accounts, but I know we’re living in hard times. The reason why I tell you not to use your government name on sites like Instagram or TikTok is because it gives you plausible deniability. As far as they’re concerned, you don’t use social media at all; you’ve never even heard of her.

This section goes beyond what you post and what is public, and is about what social media companies can track about you. There isn’t a whole lot you can do about a platform like Instagram, since you have to download the app to your phone if you want to post anything.

But for all other platforms like Facebook, LinkedIn, Bluesky, Reddit, etc. use them in your browser and don’t install the mobile apps. This way you can at least mitigate ads and tracking, and even install extensions for a better experience. Firefox has a Facebook Containers extension, which containerizes tabs you’re using for any Meta products. Safari has the Sink It extension for Reddit, which hides promoted posts.

Data brokers have made it alarmingly easy to get doxxed. Your home address, phone number, and closest confidants only take seconds to find online. One actually cool thing Google has done is make it easy to remove search results about you. Additionally, this is a great resource for removing information about you on a host of other sites.

Essentially a VPN hides your IP and browsing habits from your ISP and other devices on whatever WiFi you’re on. It’s also handy for bypassing region locks on certain websites like streaming providers. It’s more important to make sure all the other services you use are secure through other means, but VPNs are commonly recommended as a next level of protection, especially if you use public WiFi networks (like at the airport or a coffee shop) with any regularity. 

Schedule security hygiene checks on your calendar. Like one hour every quarter to revisit all of the permissions on your phone and laptop (like what apps have access to your location, camera, microphone, etc.). Another hour every quarter to download one of your credit reports and review and address any changes. A different hour every quarter to check any identity monitoring services you have and change any leaked passwords (many password managers have a monitoring functionality built in). A different hour every quarter to google yourself and remove whatever needs to be removed.

If you have really sensitive shit you want to keep in the cloud, but don’t really trust any cloud services to keep it safe from, say, a search warrant, you can use an app like Cryptomator or Veracrypt to encrypt your files before uploading to the cloud. This at least makes those files harder to crack.

More recently, the FBI has been recommending using Signal for cross-platform (iPhone to Android and vice versa) communications because foreign actors have been using the same backdoors insisted on by the US government to lurk around in our telecom systems.

iMessage and Google Messages are fine within their own ecosystems. Allegedly messaging within the Meta umbrella (Facebook, Instagram, Whatsapp) is E2EE as well, but I generally don’t trust them as a company and would recommend you divest from Meta platforms completely.

Probably consult a lawyer on this but it’s my understanding that passwords and passcodes fall under fifth amendment protection, and so law enforcement can’t compel you to give it up. Biometrics are another story, so you should understand how to turn this off quickly and require a passcode on your phone in case you ever get stopped by cops. (On the iPhone, you can do this by pressing the wake-up button five times).

LEO has tools to get into your phone if it gets seized, but the amount of data they can extract is pretty limited until you first unlock it. Thus, you want to implement a way to remote restart your phone. Apple has recently baked this into a software update, and will restart your phone if there hasn’t been any activity in a few days. You can also do this through an automation, either at a set time every day, or when some other focus or state is triggered (similar to what I previously recommended doing when your phone is stolen).